Lisa works as a researcher at the University of Twente and uses her university account daily for email, files, and access to databases.
The Phishing Email
On an ordinary Tuesday, she receives an email that seems innocent at first glance: a short message from a supplier requesting approval of an invoice. The email looks professional and features the supplier's logo. Lisa is busy, quickly clicks the link, and enters her username and password in a form—after all, she thinks it's a supplier. She doesn't think twice about the fact that she normally never receives invoices from this supplier, because they are approved by someone else, or that she has to log in with university credentials at another company. What Lisa doesn't know is that this email wasn't a genuine notification from her supplier, but a carefully orchestrated phishing attack.
Initial Access and Attacker Activities
The attacker has gathered preliminary information (who works where, which email addresses are public) and crafted a believable message. As soon as Lisa enters her credentials, the attacker immediately gains access to her account. Using this initial set of credentials, the attacker logs in as if they were Lisa. Initially, they do very little of note: they view recent emails, perhaps download a few documents, and search contact lists, primarily for colleagues with access to sensitive data or administrative privileges.
The attacker uses Lisa's identity to send a communication: a believable email to a colleague requesting to share "a research dataset" or open an attachment. Because the email appears to come from Lisa, the colleague trusts the request. In this way, the attacker gradually gains more access to systems or files, without raising any red flags.
Escalation and Consequences
At the same time, the attacker sets up persistence mechanisms—settings that allow them to return (for example, creating hidden rules or forwarding emails) — and sometimes removes traces to delay detection. Now that the attacker has access to important folders and contact lines, the situation can become serious. Possible actions: downloading sensitive data, copying research results, or copying confidential lists of personal data. Sometimes the goal is financial (redirecting payments) or reputational damage, sometimes selling data on the black market. This often occurs gradually, in small doses, making it less noticeable.
Discovery, Recovery, and Signals
Someone within the organisation notices unusual login notifications: access from an unknown location, or an email notification is sent from Lisa that she never responded to. When Lisa finally notices unusual activity herself (unexpected password reset notifications, emails she doesn't recognise), it becomes clear: her account has been compromised. Once the compromise is discovered, a chain of events often follows: Lisa's account is temporarily blocked, passwords are reset, email rules are removed, and any forwarded data is investigated. Sometimes, a broader system audit follows, and the data subjects are notified, or, in the case of sensitive personal data, the supervisory authority is notified. Recovery may only take a few hours, but the reputational damage or data breaches can have long-lasting consequences.
Warnings You Should Immediately Observe
- Unexpected emails from your own address or to unknown recipients.
- Notifications about login attempts from unknown locations or devices.
- Changes to email rules or automatic forwards that you didn't create yourself.
- Warnings from colleagues that they've received unusual requests from you.
- Sudden access restrictions or reports of data loss.
If you see these kinds of issues, don't hesitate to contact the security team, CERT-UT. This team is also helpful when in doubt. Together, we keep the university safe.